Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling Viruses in an Uncontrolled Network?

Posted by Cliff on

An anonymous reader asks: "Recently I've gotten a (volunteer) job looking after a small (approximately 500 computer) network, located within a large block of student flats. We've been having numerous problems with viruses over a few years. They spread like crazy on our network, with 100megabit connections in every residents room. Every so often they 'go off' and start a flood, which of course takes the entire residence network down. I've tried desperately to educate users on the virus problem, but those that are the problem don't care - they ignore every warning they get and just buy a faster computer to compensate for their systems sluggishness. As we only need two or three ping flooding computers to bring down the network it's hard to keep our network up whenever a worm starts its payload. What solutions have Slashdot readers came up with this and similar problems?" "Keep in mind that I'm doing this on a volunteer basis, and that my own study time and personal life takes first priority. The residence isn't prepared to spend more money bringing help or a replacement in, which I can understand given that I pay them rent that I would prefer not to increase. I also don't have any control over the network infrastructure itself, just over our DHCP server. I can't force users to keep their computers safe, as I don't own the things - all it seems I can do is point them to the *FREE!* virus scanner and local Windows update mirror and urge them to protect their computer, and offer to help out those that need it - (although due to time constraints, personally helping out everyone in a 500 member network isn't a possibility).

I can also email off a request to have certain IPs dropped off at the switch, but those users have to come back online soon enough. Whenever someone is infected I try and sit them down and make them realize that keeping their computer safe is their responsibility, and they always seem very attentive whenever we're discussing when they get reconnected to the network, but soon after they'll be infected again."

44 of 579 comments (clear)

  1. Is this really that hard? by Scott+Lockwood · · Score: 5, Insightful
    Hm... Seems pretty simple to me.
    1. Have someone at the school make them sign something that says they will have virus protection and spyware protection on their machines, and that it be kept up to date. Failure to keep the machine clean can result in suspention of service at any time.
    2. When one of them has an infected machine that starts pinging the shit out of your network, Unplug them!
    3. Point to document mentioned in step 1 above when they start whinging about it.

    There see, that wasn't too hard!
    --
    But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
    1. Re:Is this really that hard? by fembots · · Score: 5, Funny

      Is 1. "Profit!!" ??

      --
      Rock that crushes, Paper & Scissors that don't matter.
    2. Re:Is this really that hard? by _Sharp'r_ · · Score: 5, Insightful

      Or slightly faster:

      1. IDS set to trigger on specific patterns and events (if you have been seeing this stuff on your network constantly, you'll know what to look for already.), you can even set some up free using FOSS.
      2. the IDS alerts then trigger shutting down their switch port and notify an admin. Depending on your switch port mapping database, you can even email the user.
      3. See Scott's post above for signature/cleaning cycle.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    3. Re:Is this really that hard? by Anonymous Coward · · Score: 3, Insightful
      Have someone at the school make them sign something that says they will have virus protection and spyware protection on their machines, and that it be kept up to date.
      The problem with that, is that nobody should care whether or not you have virus protection -- the thing they should care about, is whether or not you run viruses (and that they are noisy viruses that create traffic on the network). If a user doesn't have a policy that running viruses is ok, then that user doesn't need virus protection. So telling them that they're required to run some type of arbitrary, and possibly completely useless software, is draconian. It's inappropriate micromanagement.

      The virus' network activity should be the sole criterion, not the users' methods of preventing it. Users should be allowed to avoid viruses however they see fit.

    4. Re:Is this really that hard? by Anonymous Coward · · Score: 5, Insightful
      But theproblem is these are students and they have work to do. by pulling their plug you are not allowing them to get the work done that they are I presume there to do. So thats not an option.
      That's like saying you can't take a drunk driver's license away, because he needs it to drive to work.

      His "need" is his problem, not yours. He should have thought about that, before he decided to engage in activity that threatened other people.

      Fuck this whole "buy more filters" thing. Place the burden on the users, and then users who behave intelligently, won't have any burden. That is the fair thing to do.

    5. Re:Is this really that hard? by Chyeld · · Score: 5, Insightful

      To put this politely, if they can't be bothered to keep their system clean, they can't have access to the free network.

      To say that 'they have work that must be done' is ignoring the fact that the umpteen (insert hyperbolic number) other users ALSO have work to that must be done and in this case the good of the many out weighs the good of the few or one (damn, did I actually find a good excuse to use that line?).

      Yes, by all means, research methods to contain and control any outbreaks to reduce the issue when they do occur; but in this case prevention is far, far, more effective than mitigation.

    6. Re:Is this really that hard? by MrAnnoyanceToYou · · Score: 5, Funny

      Ah... nah. I'd say,
      "1. Write short document stating that in 'reparation for virus damage' computers would occasionally be confiscated when they managed to infect multiple computers connected to the local network
      2. Notify them of this agreement and make them sign it
      3. When one of them has an infected machine that starts pinging the shit out of your network, give them a 'first warning'
      4. Point to document in step 1 kindly, in writing, and create yourself an Ebay account.
      5. Repeat
      6. Profit and learn to laugh evilly."

      --
      My little site.
    7. Re:Is this really that hard? by drudd · · Score: 3, Funny

      Unfortunately it appears you'll never get to step 6 due to the infinite loop of step 5.

      --
      Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!
    8. Re:Is this really that hard? by tehcrazybob · · Score: 5, Informative

      Indeed.

      My school has a very effective setup for controlling outbreaks. To start, the network is MAC filtered. Any time you connect to the network with an unlisted MAC address, your browser is redirected to a page containing the university Terms of Service for the network. You read this information, toss in your university ID and password and click I AGREE, and the program adds your MAC to the list.

      As outlined in the TOS, there are no warnings. If your computer exibits any viral behavior, your network access is removed. Unless your virus was email-related, you still have access to the mail servers. When you try to use the internet again, you are once again taken to a limited page, which politely tells you that your computer appeared to be infected with a virus. You are given basic cleaning information, as well as the tech department phone number and email address in case you need help. They can also provide you with tools like AdAware, since you won't be able to download these yourself. Then, once you are confident your computer is clean, you call the tech department, and they run a quick check to see that your computer is no longer showing viral activity. At this point, your network access is returned.

      There are no warnings. As soon as you cause a problem, the problem (you) is removed. Once you fix the problem, access is restored. I don't know their policy for repeat offenders, but I assume there is something.

      --
      Computers need to explode more often.
    9. Re:Is this really that hard? by Vengeance_au · · Score: 4, Interesting

      Thats just wrong. Here in Australia, you lose your drivers license for drink driving, and you are not behind the wheel of a car for however long you get pinged (6 months being the minimum). You can plead the case in court, but there are very few exceptions made.

      I fully support this policy - you decide to risk MY life on the roads, you pay the penalty. Can't get to work now that you've committed a crime and are doing the "time"? Well, hopefully you will realise how important having a license is to your life, and you won't ever drink/drive again. And also, be thankful you didn't injure or kill another road user, pedestrian or even yourself...

      To segue this back onto topic, same rules should apply in this situation. You put others at risk or deny them access to the network due to your inability to load a freely available, well publicised and mandatory on the network you are using tool, then you do the "time". Access cut off and you can't work? Well, perhaps next time you will ensure the virus scanner and firewall software is running, you won't have the issue, and those around you are not impacted.

    10. Re:Is this really that hard? by BlueJay465 · · Score: 3, Insightful

      I have a better solution: become a BOFH, get your hands on a used LART, learn how to properly use it, and the students will be eating out of your hand in no time.

      If that doesn't work, have a little chat with the Admin, present the security scenario, and ask to yank the plug on any offending machine as a security threat. Corporations in the real world don't tolerate unsecure boxen, why should the school? Students will learn VERY quick not to cross you.

    11. Re:Is this really that hard? by Houkster · · Score: 3, Insightful
      His "need" is his problem, not yours. He should have thought about that, before he decided to engage in activity that threatened other people.

      I have to agree.

      The IT mantra should be: "Lack of planning on your part does not nessecarily constitute an emergancy on mine."

      A better example though would be: Imagine, your car has a blown gasket spewing smoke all over the road and is barely moving under its own power, then add all 4 tires are flat further impeeding your movement. Would you keep driving it cause you had to get to work? Would you be pissed at the cop who pulls you over because your car is causing a 10 mile traffic jam on the 405?

      Need I say anything more to get the point across?

      --
      The Houkster "Oh yeah brother, what you gonna do when Houk O' Mania runs wild on you? Besides wet your pants in laughte
  2. No more access by nizo · · Score: 4, Interesting

    Forcing people to have up-to-date virus/firewall software before they can even connect to the network would be a good start. Turning network connectivity off for offending computers/users for progressively longer spans of time after they infect the network seems like a good deterrent as well. I suppose posting the names of people who infect the network and bring it down might work, though the screams from the public beatings might make it hard for you to sleep at night.

    --
    I Am My Own Worst Enemy
  3. DOOOMMMMED by Anonymous Coward · · Score: 4, Funny

    You are DOOOOMMMMMED.

  4. Simple. by Skudd · · Score: 5, Funny

    Write your own virus to send them massive payloads of anti-virus software. :P

    1. Re:Simple. by jemenake · · Score: 5, Insightful
      You need more power. Otherwise you will fail in your job
      Just about all of the posts thus far have been along the lines of "Pull the plug on the people who don't care until they *do* care.... IF the administration will let you."

      Here's an alternative to the "IF the administration will let you" part. Make use of the fact that nobody else really understands what it is the wizard (you) does behind the curtain:

      Implement whatever service termination solution you feel necessary (whether by writing/downloading some automated system, or by doing it manually yourself). When the offender calls to complain, *don't* say that they were shut off administratively. Tell them that the massive traffic from their machine "overloaded" the port they were on (tell them it's kinda like a circuit breaker on house wiring).

      They'll say that this never happened before. Tell them that they've got a newer, more-aggressive virus.

      They'll ask that their port be "reset". Tell them that, due to all of the machines that they helped infect, and to the convoluted process for "resetting" a port, there's a backlog of a couple days before you can get their port reset.

      Maybe they'll ask if you can just plug them into a different port. Tell them that they're all maxxed out.

      At some point, Administration might ask why this is happening. Tell them the same thing you told the users... new, nastier viruses. They might ask what new equipment they could get to fix the problem. Tell them that the BFS-9000 can do it... but it's very... very expensive. It would be much cheaper for everyone to just use virus protection.
  5. Uncontrolled Viruses by Anonymous Coward · · Score: 5, Funny

    Have you considered spankings? At least for the hotter co-eds. After all, they should know better.

  6. 3 Strikes policy? by fahrvergnugen · · Score: 4, Insightful

    It sounds like you've been completely neutered. If at all possible, talk to the administration about instituting a "3 strikes" policy. That is, if someone's computer causes a network-wide issue 3 times, their network drop stops working for the remained of the year.

    That'll clean their acts up in a hurry, or at least make your life easy.

    --
    Even Jesus hates listening to Creed.
    1. Re:3 Strikes policy? by lakeland · · Score: 4, Interesting

      Remainder of the year probably isn't smart in an environment that previously has seen no enforcement. I'd be using a sliding scale with punsihment at each stage in order to get people used to the idea that you are serious.

      Something like: first offence, 24hr ban; second offence, 7 day ban; 3rd offence, 1 month; 4th offence, one year and an email to all 500 with the photograph of the person who has been stuffing up their computers.

      Once you've got people used to the idea they will be punished you can swap to something like the 3 strikes policy. But at first you're going to get idiots testing you, and so two warnings is too soft while a year-long ban is hellova hard for a first punishment.

      There are alternatives of course. Install an 802.11g network in parallel with strict rules. Disobey them once and you get a stern warning, twice and you're banned for life from it. That way you'll naturally see people migrate to the network which 'works' without the fight with idiots.

      Oh, I'm assuming this is targetted at teenagers at or near college level. If you're dealing with mature adults then it is much easier.

  7. Move out? by Eezy+Bordone · · Score: 5, Insightful

    Seriously, volunteering to be THE on-site tech support for 500+ users is insane, especially since you're not even getting a discount on your housing. Quit the job or move out so you can worry about your own network.

    --

    -EB

    Do you ever walk alone like a drifter in the dark?

  8. Ban them by nadamsieee · · Score: 5, Insightful

    Isolate the computers that are spreading the virus and shut down their access to the DHCP server based on their MAC address. Then make the reconnect process as painful (yet educational) as possible. >:)

    1. Re:Ban them by morcego · · Score: 3, Insightful

      I'm sorry, but I always thought that painful is by itself rated educational: "Don't mess with the netadmin".

      Serious now, I have been administering networks for about 15 years now (a lot less than many people on /., I know), but one thing is for sure. Unless your userbase respects you, there isn't anything you can do. The way to institute that degree of respect will change from network to network. Sometimes it takes a message from a company director, sometimes it take imposing fines for people breaking the rules. Sometimes, all it takes is to let the network crash and burn, so they can see that network administration is important, and it is up to THEM to have it working.

      --
      morcego
  9. Seems simple enough. by FyRE666 · · Score: 4, Insightful

    If you can't put the bad users on a slow switch, and force them through an even slower proxy to make their life hell, then see if you can't organise a minimum disconnection period. Say 10 days or so to reconnect the idiots who keep getting infected. Since you control the dhcp server, you could filter them out by their mac address so they can't wander over to someone elses room to connect. Yes, they could probably circumvent this with a little knowhow, but let's face it, an idiot who's managing to become a virus writer's bitch every week isn't likely to have too much in the way of technical knowledge...

    --
    Code, Hardware, stuff like that.
  10. A recent Poll... by Shadow+Wrought · · Score: 4, Funny

    Regarding revenge might help you come up with, shall we say, colorful solutions to your problem. Either that or figure out a way to have all of their papers "lost" due to the virus;-) In this regards, I would suggest that you channel your inner BOFH.

    --
    If brevity is the soul of wit, then how does one explain Twitter?
  11. Wasting your time by ibpooks · · Score: 4, Insightful

    It really sounds like you're wasting your time.

    You don't have control over the users, the machines, or the routers; so what the hell can you expect to do?

    Sounds like the best option is to unplug the offending machines from the patch panel until they can demonstrate they are virus-free. Although that is likely not a viable solution if these are paying customers.

    1. Re:Wasting your time by Knara · · Score: 4, Insightful

      It can be viable if the students had to sign an AUP from the campus IT department when they moved in (which I get the feeling is fairly common these days on major campuses). Worked at a place where they just turned off the switch port of offending machines, and then if the student wanted to get access back, they had to call in to the help desk and go through the process of setting up a schedule technician visit, which may be pretty far off depending on the time of year.

      Was kinda hairy the first couple weeks of fall semester for the techs and the helpdesk (which will happen no matter what), but very few repeat offenders.

  12. Stop volunteering by lelitsch · · Score: 5, Insightful

    Seriously, it seem like this is an unsolvable problem and neither the users nor the administration seem to want to spend any effort in fixing it. So the sooner you realize that there is nothing you can do, the better. Help out with the IT system at your local Humane Society, womens shelter, or similar instead.

    Oh, and get your own DSL or cable modem.

  13. Simple. by grasshoppa · · Score: 4, Insightful

    You need more power. Otherwise you will fail in your job ( unless you take to violence ).

    Students need to be kicked off the network until their computers are clean. If they are kicked off x times, they are off until they come to you and sign a form saying they understand how to keep their computer clean. y more time(s), they are off for the rest of the semester.

    Simple, effective. You will need a couple decent switchs capable of shuting down ports ( or you could just yank the wire ).

    If you don't have this level of power over the network, get rid of any access you do have. The higher ups only want a scape goat.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  14. DHCP server is all you need. by strredwolf · · Score: 4, Informative

    Just reconfigure the guys that keep spewing to ether deny access, or return that the computer's IP address is 127.0.0.1.

    When they come in complaining, babysit them at their computer.

    --

    --
    # Canmephians for a better Linux Kernel
    $Stalag99{"URL"}="http://stalag99.net";
  15. Stage virus drills by bigtallmofo · · Score: 5, Insightful

    Send them emails with executable attachments. If they click on the attachments, ban them from the network for a week.

    Send these out frequently. Soon they'll instinctually hit the DEL key when something with an attachment comes in.

    --
    I'm a big tall mofo.
  16. Sure it's an option by CarrionBird · · Score: 4, Informative

    by clogging the network, they prevent other people from doing thier work. It's standard procedure at some universities to shut off the ports of problem systems.

    --
    Free Mac Mini Yeah, it's
    1. Re:Sure it's an option by David+Horn · · Score: 4, Informative

      I work as a "student advisor" at Leeds University and every student is issued with a free license to McAfee Virusscan Enterprise.

      When connecting for the first time, they have to enter their university username and password so the IP address can be tied to their MAC address and the computer logged.

      If their software detects viral traffic from their PC, they're automatically cut off from the net and a webpage comes up explaining why. They don't get re-connected until myself (or one of my colleagues) verifies they have virus scanning software installed and their PC is clean.

      First few weeks of term there were a lot of people cut off, but virus infections now are next to nothing because everyone has the software running.

      Apart from this, the internet connection here is extremely good. Fast and reliable, and no port blocking.

      --
      PocketGamer.org - For the gamer on the go!
  17. Egress filtering by MoogMan · · Score: 4, Informative

    The idea is simple: Egress filtering.

    Strict policies on outgoing traffic for untrusted networks is essential.

    I would suggest a default policy of something like www, ssh, msn/aim im, p2p programs (possibly, depending on the uni's rules and regulations).

    Providing you have a mechanism for giving the students access to other ports when necessary, then there should be no problem enforcing a strict egress policy.

  18. NetReg by DA-MAN · · Score: 4, Informative

    I also don't have any control over the network infrastructure itself, just over our DHCP server.

    With this you have all you need to run a NetReg server within your infrastructure. With this you can allow users to register their machines automatically. Any user with a virus or other such malware gets their dhcp entry deleted, and they are on a private network that goes to where you define. I would allow antivirus sites, antispyware sites, and windowsupdate only (or better yet, a local mirror).

    Have them send an e-mail to user@host once this is complete and you can re-activate their lease.

    --
    Can I get an eye poke?
    Dog House Forum
    1. Re:NetReg by vco123 · · Score: 5, Informative
      1. With DHCP and Netreg, you do control the network. Keep your registered leases short ( 2 hrs ).
      2. Be sure to disable external DNS calls at the router ACL, to force people to use Netreg.
      3. Run 2 instances of BIND with Netreg and selective DNS forwarding to allow Windows Updates, LiveUpdate, IT Support and Spyware. ( see Netreg-l from last August).
      4. Bump infected computers out of registration, so that they can't phone home as easily. Alternatively, use groups with ISC DHCP to force an infected MAC to use the Netreg bogus DNS to "quarantine" them.
      5. If you can, ask the network dudes to disable 25,135,445/tcp for your unregistered IP ranges. That'll limit the infected PC a bit.
      6. If you start to see a virus frenzy, shut ports off fast. It'll save time later.
      I've run a 4000 computer RezNet this way for 4 years.
      As to infected computers, I'm working on a Netreg extension that includes a "Your're infected" group. It's like being unregistered, but DNS forwards to a virus notification page.
  19. Block MS ports by rdejean · · Score: 3, Informative

    Students in our dorms have no need for Microsoft ports, which is the primary reason worms can take down the network. So i block port 137,138,139,445 at the switch port level.

    Granted this doesn't solve the virus problem on the computer, but it sure does prevent it from taking down the rest of the network.

  20. Re:You are in control! by courcoul · · Score: 4, Informative
    Amen to that! Or, it just may be that his post is only the ceremonial position of "official scapegoat" that takes the fall when the poop really hits the propeller blades... Short recipe for the cure (provided he IS the admin):
    • Get an extra PC on the backbone of the network, so it can monitor all the traffic. Anything bigger than a x486 is good enough, say with 128MB or more of RAM.
    • Install OpenBSD ( http://www.openbsd.org/ ) on it (most hardened free OS around, so the hackers can't take you down so easily).
    • Install SNORT ( http://www.snort.org/ ) on it. Configure to work as a network IDS and keep it up to date with the latest vulnerability/virus plugins.
    • Once SNORT gets wind of an infected machine, set it to do one of three things:
      • If you have the tech skills to set it up, have SNORT block out the switch port where the offending PC is plugged in AND send you a message. When the owner cleans up their act, reactivate the port and restore connectivity.
      • Else, have SNORT send you a message with all the details and YOU do the port blocking, if you can. The rest proceeds as above.
      • Else, have SNORT send you a message so you can bitch whomever has the capability to block the port. The rest proceeds as above.
    • If your authority is so puny that you cannot do any of these things, you could resort to sending out a mail to all the rest of the users of the network, and letting them know who the miscreant screwing up their connectivity is, and let peer pressure do its thing...
    Good luck!
  21. Why does the network go down? by g-san · · Score: 4, Informative

    Have you figured out exactly why a few infected computers is bringing down your whole network? I could see if they are scanning local subnets, you would have a lot of broadcast ARP packets. If they are scanning remote network IPs, you may be filling up a cache on the outbound router. Are you sure you don't have a few people just playing with NMAP? Is it inbound traffic or outbound? Identify the nature of the traffic when the network implodes, look for a pattern, and see if you can mitigate that. Use ethereal for that.

    This is a *switched* network isn't it? Hopefully yes, and with a firewall also. I really can't see why someone would need inbound tcp/135,137,138,139,445,1025 or udp/135,1026-1029 nowadays. That would prevent malware that is not spread by email or Explorer. I won't recommend you dictate the browser or email client people use, but it's a possibility to have a outbound web proxy not forward any requests from IE.

    You might also want to look into snort, you could at least have it alert you when the problem starts, or shut down ports, but sounds like you have not had much luck with that. Note rather than drop people off the face of the earth, at least make sure they can get to antivirus sites and microsoft updates. This is tough without access to the infrastructure but would improve things.

    Another suggestion is if you do not have alot of room to room traffic, and you do not have a 100mb conenction to the net, configure all ports to 10mb. At least that way it takes more than 10 users to flood your 100mbit backbone. And users accessing the net are always throttled by your outbound connection so they won't know the difference.

    I assume you volunteered for this because you like like this stuff. Note that if you *did* spend more time on this problem than your schoolwork, and came up with a solution, you might not even need to finish school.

  22. It's just terms of service by WebCowboy · · Score: 3, Insightful

    But the problem is these are students and they have work to do.

    So what? Crap happens...virus ate your thesis, power went out, printer ran out of ink, blah blah blah. Thing is that if you are a responsible person you have contingencies in place to minimise or eliminate the impact of such incidents. If the work is important, you keep backups, spare ink cartriges, update your antivirus, OS, apps, etc...and most importantly you don't procrastinate to the point where you are in crisis mode. If you don't do all of the above then you should be prepared to follow Murphy's Law. If a mishap is unavoidable, you could be granted an extension.

    Thing is, it is standard practice for net admins EVERYWHERE to pull the plug at their discretion should your computer be found to causing network disruption. Taht is a standard condition of almost all terms of service. My ISP would knock you off very quickly should they discover an open mail relay, ping flood or other unusual level of activity, and I pay extra for business-grade service. I agree with other posters here--this guy should put in some F/OSS tools to help manage these problems, and immediately terminate all network connectivity of infected machines ASAP.

    "I have work to do" be damned. Seriously. Part of growing up and going to school is to learn--and people have to learn the consequences of their actions or inactions--that's life. You have to keep your house clean, pay your bills on time, obey the speed limit and traffic signals, etc. If you don't there are negative consequences. Same goes for PC use: ignoring the TOS, not updating your machine, downloading comet cursors and talking gorillas and chat icons and P2P warez is just inviting trouble. Users who repeatedly do those things despite warnings deserve no sympathy at all and should recieve all the wrath the BOFH can deliver.

  23. Quarantine VLAN by realyendor · · Score: 3, Interesting

    Assuming that clients are on a switched network, move the infected systems to a quarantine VLAN whose gateway IP is the same as the net they came from, but whose outbound requests are NAT'd instead of routed.

    Then, use IPTABLES on the gateway to redirect any request on port 80 to a page that says, "You're infected--clean your system!" Maybe even provide them access to the tools necessary to clean their system via that same webpage.

  24. Ok.... by Audacious · · Score: 4, Insightful

    We've heard from the:

    1. "It can't be done" crowd.
    2. "Be tough about it" crowd.
    3. "Go behind their backs" crowd.

    and others....

    How about this:

    1. Get everyone's e-mail address so you can send all of them e-mail at the same time. How do you do that? Ask them to e-mail you - that's how. Of course, disinfect anything they send you because they probably will have a virus or two.

    1a. How do you get all of them to send you the e-mail? Go buy some of those blank business card sheets (Avery I believe makes these), print up your message, get someone to help you break them apart, and then just tape them to each person's door. In this way you: 1)Don't have to talk to them, 2)Don't try to force them to do what they don't want to do, and 3)Can do it on your own time (like on a floor-by-floor basis). Cost: Probably about $10.00.

    1b. Your message? It should be something like:

    Dormitory SysAdmin needs your help!
    We need your e-mail address as we
    are trying to remove viruses and want
    to be able to keep you informed. Thanks!
    myemailaddress@thedorms.edu

    1c. Put notices on doors leading into the dorm and/or bulletin boards also asking for e-mail addresses. If you can, have someone hand the things out to people as they come in and out of the dorms.

    2. Set up a blog where everyone can meet and talk about problems. Use the e-mail addresses to send your notice out about the blog and how to access it.

    3. Set up appointments with people to meet with them to show them how to protect their system from viruses, ads, cookies, and other problems.

    Ok, let's say you've gotten some responses and want to start to go to other people's rooms to help them out. You want to:

    4. Use the scheduler built in to every operating system currently in use (ie: Mac OS X, Windows98se and up, Linux, BSD, Solaris, etc...). For those OSs which are older (although I can't see anyone currently in college using an Apple ][+ or even Mac OS 9.x or earlier) download and bring with you some sort of a scheduler. (Even the Apple //gs had a CRONTAB program!). Set their machine up so it automatically, every day, trys to download the latest and greatest updates for the OS, SpyBot, AdAware (or whatever you use), your virus protection program, etc.... The MOST IMPORTANT THING THOUGH - is to always explain what it is you are doing to the person's computer. Don't just dump a bunch of things onto their system. Bring a flyer that explains what it is you are doing and why. Set their system up so they can win and so they don't have to rely on you to be there to make everything function correctly. All of the virus/cookie/ad checking software out there can be set up to function on its own. Some of them (like most virus checkers) have their own scheduling software built in.

    4a. NOW! Here is the important thing! Set the virus/ad/cookie (or VAC for short) to AUTOMATICALLY e-mail you with the results. This too can be done via the scheduler. Give the automatically generated e-mail a special header (like [VIRUS|AD|COOKIE] REPORT FOR ROOM X). There are e-mailer programs for all operating systems which run from the command line. So just make a little batch program/shell script to create your report and e-mail it to you. Again, write it all down in the flyer you are going to give them so they don't freak when their system suddenly starts doing things (like checking for viruses or sending e-mail).

    4b. Most virus software's report will read "VIRUS FOUND" and then tell you where and when the virus was found. Write yourself a short Perl/PHP/C/ script which will read these e-mails and sort out which one have viruses and which ones don't have them. Since you made the title have the room number on it - you automatically know who is having problems. So you can e-mail them back and set up a time to go over to fix any problems they might be having. Further, you can produce statistics on where the greatest problems are and post these fi

    --
    Someone put a black hole in my pocket and now I'm broke. :-)
  25. You are NOT punishing the wrong person. by arete · · Score: 4, Insightful

    You should certainly punish the virus writers, if you can catch them. And you should possibly punish M$ for how big of a hole IE still is, even if Windows itself is better than it used to be. But none of that matters.

    To use society's resources, you have to follow society's rules. I can go buy any car I want and drive it at 200 mph - on my own track. But if I want to drive on streets I have to follow the rules, as they apply to my actions (hitting things) even when they may not necessarily have a direct negative impact (speeding, driving on the sidewalks) have only a paper impact (licensing, insurance, registration) or only a preventative impact (headlights, brake lights...)

    I can also go buy a used car and have the brakes suddenly fail, running over someone's garden. Note that even if I didn't know, I'm still responsible for the cost of that garden, (unless I JUST bought it and can pass the blame to the previous owner) If the brakes were recalled, it's still my fault for not getting them fixed. If they WEREN'T recalled, but should've been, then that's not my fault.

    If you're already providing appropriate, simple, free, publicized resources _that they didn't use_ they are being negligent at best. Kicking them off until sometime after they fix it is a MINIMUM penalty for such negligence.

    Argueably they should have to pay for the cost of your time to fix their computer (mandatory since they didn't do it the first time) and to repair any problems caused by their problem - and STILL be penalized in terms of being online.

    (Personally I believe that a kick-until-fixed first warning is probably a necessary threshold of publicity - but even the second time they aren't listening I think it'd be very reasonable to escalate it.)

    To be clear, I don't think it's reasonable in today's world to hold them accountable for anything their computer does. I think it's NECESSARY to hold them accountable for not following your security procedures to defend against it. Which means you're still going to be snuffed by the virus that exploits the OS hole noone has put out a patch for yet - and I wouldn't blame that on the first kid to get it.

    I agree with the other posts - you have to get kick/ban/unplug authority, you have to quit, and/or you have to get paid. 1 of those might do...

    --
    Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
  26. netsquid software package works well for this by gabesk · · Score: 5, Informative

    This is the method used at Texas A&M University, which I attend, for their residence hall network.

    We use netsquid, http://netsquid.tamu.edu/, which is essentially some code that ties into snort to provide automatic filtering by mac address and notification.

    It works quite well.

  27. Our solution by pehrs · · Score: 3, Informative

    I have been working on a similar network for some time, and dealt with similar problems. I don't know if these are optimal solutions, but here is how we are doing it:

    First of all, we have build a simple management system based around SNMPv3. You want this. Take a course in enterprise management or read up on it yourself. The day you stop writing scripts and use a management system instead is the day when you begin to come out on top of the problem. OpenWBEM can be a start if you want to know what can be done.

    Here is our setup:
    Incoming connections are blocked. There has been a discussion about removing this block and allowing "safe" ports. At the moment the issue is rather pointless as we are behind a NAT due to lack of IP space. Outgoing connections to DNS, SMTP and HTTP/HTTPS are filtered to force people to use our servers. Some of the more notorious p2p protocols are capped to keep the bandwidth usage from going insane.

    We have a central register of users. To use the network you have to register and pay a symbolic sum each month. Then you get access to the connection in your room. You are responsible for what happens from your connection. This register gives us an easy way to contact users. To be allowed to join the network you have to sign a paper stating what you are allowed to do and not do. Our TOS are pretty restrictive, but without them we wouldn't be able to manage the net.

    After some network outages (Code Red...) we have implemented a quarantine VPN. We have several IDS spread out, and if they detect a computer spreading malware they move the computer to the quarantine VPN. On this VPN the computer can /ONLY/ connect to the DNS server and the HTTP/HTTPS proxy server. This server provides the user with a message about the computer being infected, links to several sites with patches, free AV and updates. And a note that they will have to contact an administrator to get access renewed. The user can continue browsing freely, but don't do anything else. If they want to get back to the usual network they have to clean up their computer.

    We also have several special checks for "evilness", most important rouge DHCP servers and ARP spoofing. Anybody caught by these simply get their connection pulled until they have explained themselves. Administrators are notoriously slow when it comes to returning connection to people knowingly doing malicious things on the network.